2016-10-28 08:59:51 +00:00
|
|
|
#!/bin/sh
|
|
|
|
# This will unseal and unecncrypt the drive encryption key from the TPM
|
2017-04-12 10:57:58 +00:00
|
|
|
# The TOTP secret will be shown to the user on each encryption attempt.
|
2016-10-28 08:59:51 +00:00
|
|
|
# It will then need to be bundled into initrd that is booted with Qubes.
|
|
|
|
|
|
|
|
TPM_INDEX=3
|
|
|
|
TPM_SIZE=312
|
|
|
|
|
2017-04-12 10:57:58 +00:00
|
|
|
. /etc/functions
|
|
|
|
mkdir -p /tmp/secret
|
2016-10-28 08:59:51 +00:00
|
|
|
|
2017-04-12 10:57:58 +00:00
|
|
|
sealed_file="/tmp/secret/sealed.key"
|
2016-11-23 15:45:39 +00:00
|
|
|
key_file="$1"
|
2017-04-12 10:57:58 +00:00
|
|
|
|
2016-11-23 15:45:39 +00:00
|
|
|
if [ -z "$key_file" ]; then
|
2017-04-12 10:57:58 +00:00
|
|
|
key_file="/tmp/secret/secret.key"
|
2016-11-23 15:45:39 +00:00
|
|
|
fi
|
|
|
|
|
2017-04-02 03:02:00 +00:00
|
|
|
tpm nv_readvalue \
|
2016-10-28 08:59:51 +00:00
|
|
|
-in "$TPM_INDEX" \
|
|
|
|
-sz "$TPM_SIZE" \
|
2017-04-12 10:57:58 +00:00
|
|
|
-of "$sealed_file" \
|
2016-10-28 08:59:51 +00:00
|
|
|
|| die "Unable to read key from TPM NVRAM"
|
|
|
|
|
2017-04-12 10:57:58 +00:00
|
|
|
|
2017-04-12 12:28:31 +00:00
|
|
|
get_password()
|
|
|
|
{
|
|
|
|
last_half=X
|
|
|
|
|
|
|
|
while true; do
|
|
|
|
|
|
|
|
# update the TOTP code every thirty seconds
|
|
|
|
date=`date "+%Y-%m-%d %H:%M:%S"`
|
|
|
|
seconds=`date "+%s"`
|
|
|
|
half=`expr \( $seconds % 60 \) / 30`
|
|
|
|
if [ "$half" != "$last_half" ]; then
|
|
|
|
last_half=$half;
|
|
|
|
TOTP=`unseal-totp` \
|
|
|
|
|| die "TOTP code generation failed"
|
|
|
|
fi
|
|
|
|
|
|
|
|
echo -n "$date $TOTP: "
|
|
|
|
|
|
|
|
# read the first character, non-blocking
|
|
|
|
read \
|
|
|
|
-t 1 \
|
|
|
|
-n 1 \
|
|
|
|
-s \
|
|
|
|
-p "Enter unlock password: " \
|
|
|
|
tpm_password_1 \
|
|
|
|
&& break
|
|
|
|
|
|
|
|
# nothing typed, redraw the line
|
|
|
|
echo -ne '\r'
|
2017-04-12 10:57:58 +00:00
|
|
|
done
|
|
|
|
|
2017-04-12 12:28:31 +00:00
|
|
|
# they have started typing, read the rest, blocking
|
|
|
|
if [ -z "$tpm_password_1" ]; then
|
|
|
|
# they hit enter; we should exit gracefully
|
|
|
|
tpm_password=""
|
|
|
|
else
|
|
|
|
# they hit something else, read the rest of the line
|
|
|
|
read \
|
|
|
|
-s \
|
|
|
|
-p '' \
|
|
|
|
tpm_password_2
|
|
|
|
tpm_password="$tpm_password_1$tpm_password_2"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# clean up with a newline
|
|
|
|
echo
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
for tries in 1 2 3; do
|
|
|
|
get_password
|
|
|
|
|
2017-04-12 10:57:58 +00:00
|
|
|
if tpm unsealfile \
|
|
|
|
-if "$sealed_file" \
|
|
|
|
-of "$key_file" \
|
|
|
|
-pwdd "$tpm_password" \
|
|
|
|
-hk 40000000 \
|
|
|
|
; then
|
|
|
|
rm -f /tmp/secret/sealed
|
|
|
|
exit 0
|
|
|
|
fi
|
|
|
|
|
|
|
|
pcrs
|
|
|
|
warn "Unable to unseal disk encryption key"
|
|
|
|
done
|
|
|
|
|
|
|
|
die "Retry count exceeded..."
|